One year into the GDPR’s enforcement, small and large businesses alike are still underprepared.

At Sovy, we’ve seen many misguided attempts to comply with the law: some organisations hire a DPO when they don’t need to, while others write a privacy policy that doesn’t meet the requirements, to name a few.

As a result, we’ve decided to write a guide particularly for small businesses like yours. It touches on these common mistakes while providing a compliance roadmap that gives you a clear path forward.

Does the GDPR Apply to My Business?

The GDPR applies to you if your business is based in the EU or processes the personal data of EU residents and the following applies:

You collect, store or process personal data in any format. For example:

CCTV

Website cookies

Emails

Payment information

Delivery details

Employee personal data

Collection, storage and processing of personal data on behalf of another company

Your Compliance Roadmap

1. Make a team

You might be a small business, but chances are you didn’t build your business, policies, and IT infrastructure yourself.

Make your team representative of the parts of your business that might handle, secure, or govern personal data.

Your team is going to be responsible for all the following parts, like mapping your data flows, reviewing policies and legal contracts, and fixing those gaps.

We’d recommend your team comprise of your CEO and your main legal, IT, and HR people (if you have them).

2. Map data flows

‘Data mapping’ has become a buzzword across the industry, particularly in the realm of GDPR compliance. Because it’s so important to the rest of your compliance process (not to mention it’s hard and tedious!), loads of businesses advertise their ability to do the data mapping for you.

But the prospect is often too good to be true, unless you’re willing to pay more than small businesses usually have. The reason is because data is so often stored all over the place:

At the end of the day, you’re probably going to have to do this yourself.

So how do you do data mapping?

Start with your team: ask them what types of personal data they or their staff handle. From there, start building a list that answers these questions:

Once you’ve answered these questions for each type of personal data you collect, store that information in a single document. Congratulations, you’ve not only completed a data mapping exercise but you’ve also made a record of processing activities (GDPR Article 30).

3. Review documentation

The GDPR updates certain documents that you might already have (like your privacy policy) and adds others (like your record of processing activities).

Make sure you have an externally facing privacy policy that meets the requirements set out in Articles 13 and 14 of the GDPR.

You should also make sure you have an internal data protection policy that describes your procedures around data handling, access, collection, storage, deletion, and disclosures to third parties.

Since the GDPR requires specific information to be disclosed to the authorities and affected parties in the event of a data breach, you should have templates and policies that describe the notification and breach response process.

If you transfer data to third parties, make sure you have a data processing agreement in place that ensures that your data processors abide by GDPR requirements like transparency, security, and privacy by design.

If you transfer data outside the EEA, make sure you have the appropriate contracts in place that bind businesses to meeting GDPR obligations. You can do this through standard contract clauses or binding corporate rules.

4. Fix Gaps

Once you’ve reviewed your policies and processes against GDPR requirements, it’s time to fix any mismatches or gaps in your compliance programme. Here are some common areas where organisations have trouble:

Subject Access Requests and Rights Compliance

The GDPR gives new rights to individuals, such as the right to access, transport, delete, and restrict their personal data. These all impose new technical and organisational obligations on organisations.

For example, giving people the right to data portability implies that you’ve stored the data in a structured format, like CSV or JSON (XML or PDF could work too, depending what the data is.)

Giving people the right to erasure also means that you have to coordinate with all data processors and make sure that they delete the information in question.

And complying with a data access request means that you have to have performed that data mapping activity and can access all the data you hold on the individual along with information on how it’s processed and stored.

There are a few caveats that make this response process a little more complicated.

First off, before you start dumping data on every customer that submits an access request, you need to verify their identity. In the cybersecurity field, we worry that this access request process will be an easy way for imposters to get sensitive information from unwitting businesses. Make sure you have an authentication process in place before you give transfer personal data.

The second complication is that the GDPR gives 30 days to comply with the request (unless the request is particularly complex or if you’re receiving an influx of requests). That means that generally, you’re going to have to do the following steps in a relatively short time span.

authentication

review of the request’s legitimacy

data gathering

communication to the individual

That’s why you need policies and procedures at each step of the process, as well as a record of processing activities to know where data is and why you process it.

Privacy Notices

The GDPR has very specific items for organisations to include in their privacy notices:

The identity of the data controller (you) and contact information

A description of the types of data they collect and process

Purposes and legal basis for processing

Recipients or categories of recipients of the data

Details regarding transfers outside the EEA

Details regarding how long data will be stored

A list of the rights afforded to data subjects, and actionable ways of exercising them

The right to lodge a complaint with the supervisory authority

Details regarding the logic and consequences of any automated decision-making

On top of this information, the GDPR advises organisations to make sure they write clearly (not in legalese), preferably in a layered fashion (e.g. dropdowns, clickable sections) and present this information to the data subject before you collect personal data from them.

5. Educate Staff

Finally, you need to train employees who handle personal data (or who make the policies for those people) in proper data handling and data hygiene.

You should also educate management, particularly your data protection officer or equivalent point person, in GDPR requirements.

Since the GDPR is unlike most other data protection laws, we recommend investing in educational content specific to the GDPR itself rather than general data protection and cybersecurity training.

Since different roles will interact with the GDPR in different ways, it’s ideal to get training tailored to those specific functions (such as IT, HR, C-suite/management).

Common Mistakes

1. The GDPR Exempts Small Businesses. False

You may have heard that the GDPR carves out some exceptions for small businesses. Keep in mind, though, that the exception only covers formal record-keeping requirements.

And at the end of the day, you’ll probably find that this is something you’ll want to fill out for your own data mapping and documentation purposes anyway.

In fact, the path to compliance looks very similar for small and large organisations alike.

2. Get Consent for Everything. False

The GDPR added a requirement that organisations need to have a “lawful basis for processing” personal data and raised the requirements on consent, one of the six bases you can use.

You’d think that people would use consent less, given the stricter requirements, but that doesn’t seem to be the case.

In fact, the GDPR wants people to use consent less because

it’s a bad way to protect privacy because it preys on people’s irrationality in understanding the long-term impacts of data disclosure.

constantly asking for explicit affirmation is a logistical burden on both user and business.

3. You Always Need a DPO. False

Appointing a Data Protection Officer (DPO) is a costly task, and the GDPR recognizes the burden by reserving the requirement to organisations that meets one of two conditions (see the graphic below).

Otherwise, you should have someone in charge of your privacy programme (a “privacy point person”) but that’s different from a DPO, which is a legally defined position with certain requirements and obligations under the GDPR.

Do you need a DPO?

4. GDPR fines are €20 million or 4% of global revenue. Partly True

This is the maximum fine that the Data Protection Authority (DPA) can impose. There are actually two tiers of fines based on what you did wrong.

Tier 1 is up to €10 million or 2% of global revenue for instances like failing to fulfill your obligations as a controller or processor (such as data protection impact assessments, data protection by design and default, etc.).

Tier 2 is indeed up to €20 million or 4% of global revenue for infractions like messing up your lawful bases of processing, failing to provide data subject rights, or transferring personal data outside the EEA without appropriate safeguards.

But with all this in mind, the DPA will rarely impose such large fines, particularly on small businesses. DPAs can give sanctions like reprimands, warnings, and processing restrictions, all of which don’t involve monetary fines.

Getting Started

All this information may feel overwhelming, but that’s why Sovy exists as a business – to simplify the compliance process for you and help you through each step.

Cookie Consent Settings

About Cookies

Why we use cookies?

To make this site work properly, sometimes we place small data files called cookies on your device. This is a common practice for websites.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

There are 4 types of cookies that we use: Strictly Necessary, Performance, Functional and Advertising.

Please remember that if you delete your cookies, or use a different browser or device you will need to reset your cookie consent settings.

Strictly Necessary Cookies Always Active

These cookies are essential to use this website and its features, such as accessing secure areas of the website or using a shopping basket. They are not used for tracking or advertising purposes. We do not share this data. We use the strictly necessary cookies listed below:

Performance Cookies Active

These cookies collect information about how you use a website, such as which pages you visit most often or if you see error messages. These cookies do not collect information that identifies you. Information collected is aggregated and anonymized to improve how this website works. We use the performance cookies listed below:

Functional Cookies Active

These cookies allow this website to remember choices you make, such as your user name, language or your geographical region and provide personalized features. Also, they are used to remember your progress in important features of the website, such as your progress in a video so you can return to the same spot, and features such as changes you made to text size, fonts and other customizations. We use the functitonal cookies listed below:

Targeting Cookies Inactive

These cookies are used to deliver advertisments more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaigns. They remember that you have visited a website and this information is shared with other organisations such as advertisers. We use the advertising cookies listed below: